Transcript of "Intro to Web Application Security"

2.
What is Application Security? <ul><li>Application Security encompasses measures taken to prevent exceptions in the security policy of an application or the underlying system vulnerabilities through flaws in the design, development, or deployment of the application. [Wikipedia] </li></ul><ul><li>Make sure code </li></ul><ul><li>Properly uses security mechanisms </li></ul><ul><li>Has no design or implementation flaws </li></ul>

6.
Test Your Hacking Knowledge <ul><li>What might happen in an application if an attacker… </li></ul><ul><ul><li>Adds “; rm –rf /” to a menu selection passed to a system call </li></ul></ul><ul><ul><li>Replaces the unitprice hidden field with -500 </li></ul></ul><ul><ul><li>Sends 1000000 ‘A’ characters to a login script </li></ul></ul><ul><ul><li>Figures out the encoding used for cookies </li></ul></ul><ul><ul><li>Disables all client side Javascript for form validation </li></ul></ul><ul><ul><li>Adds to the end of an account ID parameter “%27%20OR%201%3d1” </li></ul></ul><ul><ul><li>Sends 1,000 HTTP requests per second to the search field for an hour </li></ul></ul>

7.
Why Should I Care? <ul><li>How likely is a successful web application attack? </li></ul><ul><ul><li>Anyone in the world, including insiders, can send an HTTP request to your server </li></ul></ul><ul><ul><li>Vulnerabilities are highly prevalent </li></ul></ul><ul><ul><li>Easy to exploit without special tools or knowledge </li></ul></ul><ul><ul><li>Little chance of being detected </li></ul></ul><ul><ul><li>Hundreds of thousands of developers with no security background or training </li></ul></ul><ul><li>Consequences? </li></ul><ul><ul><li>Corruption or disclosure of database contents </li></ul></ul><ul><ul><li>Root access to web and application servers </li></ul></ul><ul><ul><li>Loss of authentication and access control for users </li></ul></ul><ul><ul><li>Defacement </li></ul></ul><ul><ul><li>Loss of use / availability </li></ul></ul><ul><ul><li>Secondary attacks from your site </li></ul></ul><ul><li>Application security is just as important as Network Security </li></ul>

8.
Attacks Shift Towards Application Layer <ul><li>75% of All Attacks on Information Security Are Directed to the Web Application Layer </li></ul><ul><li>2/3 of All Web Applications Are Vulnerable </li></ul><ul><li>-Gartner </li></ul>

9.
How Do Attackers Do It? <ul><li>Proxies </li></ul><ul><li>Browser plugins </li></ul><ul><li>Vulnerability scanning tools </li></ul><ul><li>Many attacks can be launched using only a browser and text editor </li></ul>

12.
Transparent Proxy <ul><li>http://fiddler2.com/sandbox/ </li></ul><ul><li>Fiddler is a HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic, set breakpoints, and &quot;fiddle&quot; with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language. </li></ul><ul><li>Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more. </li></ul><ul><li>Others: Paros, Web Scarab, etc </li></ul>

19.
Cross-Site Scripting (XSS) <ul><li>Web application vulnerability that allows an attacker to execute a malicious script in a victim's web browser </li></ul><ul><li>How it works </li></ul><ul><ul><li>Web browsers support scripting languages like Javascript that allow web pages to perform logic </li></ul></ul><ul><ul><li>If an attacker can get a web server to send their malicious script to a victim, the script executes as if it came from that web site </li></ul></ul><ul><li>Consequences </li></ul><ul><ul><li>Steal session cookies </li></ul></ul><ul><ul><li>Deface websites </li></ul></ul><ul><ul><li>Information disclosure </li></ul></ul>

21.
Two Types of XSS <ul><li>Stored XSS </li></ul><ul><ul><li>Dangerous user input is stored on the site and displayed at some later time </li></ul></ul><ul><ul><li>Typically found in message boards, guest books, surveys </li></ul></ul><ul><ul><li>Like leaving a land mine for a victim to trip across on a vulnerable site </li></ul></ul><ul><li>Reflected XSS </li></ul><ul><ul><li>Dangerous user input is immediately sent back to the user that submitted it </li></ul></ul><ul><ul><li>Possibly a malicious link with an embedded script </li></ul></ul><ul><ul><li>Typically found in search fields, error pages, etc </li></ul></ul>

28.
CSRF (Sea-Surf) <ul><li>Cross-site request forgery, also known as one click attack or session riding </li></ul><ul><li>Digg and Amazon have been targets </li></ul><ul><li>Prevention </li></ul><ul><ul><li>Include a secret, user-specific token in forms that is verified in addition to the cookie </li></ul></ul><ul><ul><li>Users can help protect their accounts at poorly designed sites by logging off the site before visiting another, or clearing their browser's cookies at the end of each browser session </li></ul></ul>